Deploying Windows Rights Management Services …...5 Deploying Windows Rights Management Services...
Transcript of Deploying Windows Rights Management Services …...5 Deploying Windows Rights Management Services...
Deploying Windows Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide
Microsoft Corporation
Published: October 2006
Author: Brian Lich
Editor: Carolyn Eller
Abstract
This step-by-step guide provides instructions for deploying Microsoft Office SharePoint
Server 2007 in a Microsoft Windows Rights Management Services (RMS) with Service
Pack 2 environment. It includes the necessary information for installing and configuring
RMS, installing and configuring Office SharePoint Server 2007 in the newly created RMS
infrastructure, and verifying that Office SharePoint Server 2007 documents can be rights-
protected and consumed.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2006 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, SharePoint,MS-DOS, SQL Server, Windows, Windows NT,
and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
Deploying Windows Rights Management Services with Microsoft Office SharePoint
Server 2007 Step-By-Step Guide .................................................................................... 5
About this Guide .............................................................................................................. 5
What This Guide Does Not Provide ............................................................................. 6
Deploying RMS in a Test Environment ............................................................................ 6
Requirements for RMS with Service Pack 2.................................................................... 8
Steps for Deploying RMS with Office SharePoint Server 2007 ....................................... 9
Step 1: Setting up the Infrastructure ............................................................................ 9
Configure the domain controller (DC) ....................................................................... 9
Configure the computer to be used as the RMS cluster (RMS-SRV) ..................... 12
Configure the Office SharePoint Server 2007 server (SPS-SRV) .......................... 14
Configure the RMS client computer (RMS-CLNT) .................................................. 16
Step 2: Installing and Configuring RMS on RMS-SRV .............................................. 17
Add Application Server role to RMS-SRV ............................................................... 18
Install Message Queuing ........................................................................................ 18
Install Microsoft SQL Server 2005 Standard Edition .............................................. 19
Install the RMS cluster ............................................................................................ 20
Configure RMS settings .......................................................................................... 20
Register the SCP in Active Directory ...................................................................... 21
Step 3: Installing and Configuring Office SharePoint Server 2007 on SPS-SRV ...... 21
Install Microsoft .NET Framework 2.0 ..................................................................... 21
Install Microsoft .NET Framework 3.0 ..................................................................... 22
Add Application Server role to SPS-SRV ............................................................... 22
Install Office SharePoint Server 2007 ..................................................................... 23
Configure Office SharePoint Server 2007 for RMS ................................................ 23
Step 4: Verifying RMS Functionality on RMS-CLNT .................................................. 26
5
Deploying Windows Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide
About this Guide This step-by-step guide walks you through the process of deploying Microsoft®
Windows® Rights Management Services (RMS) with Service Pack 2 and Microsoft Office
SharePoint® Server 2007 together in a test environment. During this process, you create
an Active Directory® domain, install and configure an RMS cluster on a Microsoft
Windows Server® 2003–based server, install the RMS Logging database server, install
Office SharePoint Server 2007, integrate the Office SharePoint Server 2007 with RMS,
and configure a Windows XP–based RMS client computer.
Upon completion of this step-by-step guide, you will be able to use the test environment
you just built as a baseline for the way it might be deployed in your organization.
Important
Microsoft Windows® SharePoint® Services 3.0 does not have the Microsoft
Office protector files that are required to automatically rights-protect a document
when it is uploaded. You must use Microsoft Office SharePoint Server 2007 to do
this.
As you complete the steps in this guide, you will:
Prepare the infrastructure for Active Directory directory services, RMS, and Office
SharePoint Server 2007.
Install and configure RMS.
Install and integrate Office SharePoint Server 2007 into your RMS environment.
Verify RMS and Office SharePoint Server 2007 integration after you complete the
configuration.
Office SharePoint Server 2007 provides an easy way to collaborate on documents by
posting them to an Office SharePoint Server 2007 site so that they can be accessed over
the corporate network. The goal of integrating an Office SharePoint Server 2007
deployment with an RMS infrastructure is to be able to protect documents that are
downloaded from the Office SharePoint Server 2007 server by users of any given
organization.
6
Note
Integrating Office SharePoint Server 2007 with RMS does not protect the
documents while they are on the server. When a document is uploaded to an
Office SharePoint Server 2007 site, the server will remove all protection until a
download request is received by the Office SharePoint Server 2007 server. At
this time, the Office SharePoint Server 2007 server will apply the appropriate
restrictions to the document before it is downloaded to the client computer.
What This Guide Does Not Provide
This guide does not provide the following:
Guidance for integrating Office SharePoint Server 2007 with RMS in a production
environment.
Complete technical reference for RMS. For more in-depth technical information about
RMS, see http://go.microsoft.com/fwlink/?LinkId=68637.
Complete information about Office SharePoint Server 2007. For more information,
see http://go.microsoft.com/fwlink/?LinkId=74460.
Deploying RMS in a Test Environment We recommend that you first use the steps provided in this guide in a test lab
environment. Step-by-step guides are not necessarily meant to be used to deploy
Microsoft products without accompanying documentation and should be used with
discretion as a stand-alone document.
Upon completion of this step-by-step guide, you will have a working RMS infrastructure
integrated with Office SharePoint Server 2007. You can then test and verify RMS and
Office SharePoint Server 2007 interoperability through the simple task of uploading a
Microsoft Office Word 2007 document to the Office SharePoint Server 2007 portal.
The test environment described in this guide includes four computers connected to the
Internet and using a clean installation of the following operating systems, applications,
and services:
7
Computer Name Operating System Applications and Services
RMS-SRV Windows Server 2003 with
Service Pack 1 (SP1)
RMS, Internet Information
Services (IIS) 6.0, World
Wide Web Publishing
Service, Message Queuing
(also known as MSMQ), and
Microsoft SQL Server™ 2005
Standard Edition
DC Windows Server 2003 with
SP1
Active Directory, Domain
Name System (DNS)
SPS-SRV Windows Server 2003 with
SP1
Office SharePoint
Server 2007
RMS-CLNT Windows XP Professional
with Service Pack 2 (SP2)
Microsoft Office Word 2007
Note
If the RMS server is not connected to the Internet, it must be enrolled offline
before the provisioning of the RMS server is complete.
The computers form a private intranet and are connected through a common hub or
Layer 2 switch. This configuration can be emulated in a virtual server environment if
desired. This step-by-step exercise uses private addresses throughout the test lab
configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain
controller is named DC for the domain named cpandl.com. The following figure shows the
configuration of the test environment:
8
Requirements for RMS with Service Pack 2 The following table describes the minimum hardware requirements and
recommendations for running RMS with Service Pack 2.
Requirement Recommendation
Personal computer with one Pentium III
processor (800 megahertz (MHz) or higher)
Computer with two Pentium 4 processors
(1500 MHz or higher)
256 megabytes (MB) of RAM 512 MB of RAM
20 gigabytes (GB) of free hard disk space 40 GB of free hard disk space
One network adapter One network adapter
The following table describes the software requirements for running RMS on a Windows
Server 2003–based computer.
Software Requirement
Operating system Windows Server 2003, any editions except
Web Edition
File system NTFS file system is recommended
Messaging Message Queuing
Web services Internet Information Services (IIS)
ASP.NET must be enabled.
Active Directory RMS must be installed in an Active
Directory domain in which the domain
controllers are running Windows
Server 2000 with Service Pack 3 (SP3) or
later. All users and groups who use RMS to
acquire licenses and publish content must
have an e-mail address that is configured in
Active Directory.
9
Software Requirement
Database server RMS requires a database and stored
procedures to perform operations. In this
step-by-step guide you use Microsoft SQL
Server 2005 Standard Edition. In a
production environment, a separate
database server is recommended.
Steps for Deploying RMS with Office SharePoint Server 2007 If your test environment does not have Internet access, there are several installation files
that should be manually copied to each computer. For the Office SharePoint Server 2007
computer, you should copy the .NET Framework 2.0, the .NET Framework 3.0, and the
RMS with Service Pack 2 (SP2) client installation packages. For the RMS client computer,
you should copy the RMS with SP2 client, and for the RMS Server you should copy the
RMS with Service Pack 2 server installation package to the RMS server.
Step 1: Setting up the Infrastructure
Step 2: Installing and Configuring RMS on RMS-SRV
Step 3: Installing and Configuring Office SharePoint Server 2007 on SPS-SRV
Step 4: Verifying RMS Functionality on RMS-CLNT
Step 1: Setting up the Infrastructure
To prepare your test environment for installing RMS, you must complete the following
tasks:
Configure the domain controller (DC)
Configure the computer to be used as the RMS cluster (RMS-SRV)
Configure the Office SharePoint Server 2007 server (SPS-SRV)
Configure the RMS client computer (RMS-CLNT)
Configure the domain controller (DC)
To configure the domain controller DC, you must install Windows Server 2003, configure
TCP/IP properties, install Active Directory, raise both the forest and domain functional
levels to Windows Server 2003, create user accounts, and then assign these user
accounts an e-mail address.
10
First, install Windows Server 2003 as a stand-alone server.
To install Windows Server 2003, Standard Edition
1. Start your computer by using the Windows Server 2003 product CD. (You can
use any edition of Windows Server 2003 except the Web Edition to establish the
domain).
2. Follow the instructions that appear on your computer screen, and when prompted
for a computer name, type DC.
Next, configure TCP/IP properties so that DC has a static IP address of 10.0.0.1. In
addition, configure 10.0.0.1 as the IP address for the DNS server.
To configure TCP/IP properties on DC
1. Log on to DC as DC\ADMINISTRATOR.
2. Click Start, point to Control Panel, and point to Network Connections, double-
click Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type
10.0.0.1. In Subnet mask box, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In the Preferred
DNS server box, type 10.0.0.1.
6. Click OK, and then click OK to close the Local Area Connection Properties
dialog box.
Next, configure the computer as a domain controller.
To configure DC as a domain controller
1. Click Start, and then click Run. In the Open box, type dcpromo, and then click
OK.
2. On the Welcome page of the Active Directory Installation Wizard, click Next.
3. Click Next, click the Domain controller for a new domain option, and then click
Next.
4. Select the Domain in a new forest option, and then click Next.
5. In the Full DNS name for new domain box, type cpandl.com, and then click
Next.
6. In the Domain NetBIOS name box, type CPANDL, and then click Next three
times.
7. Select the Install and configure the DNS server on this computer, and set
11
this computer to use this DNS server as its preferred DNS server option.
8. Select the Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems option, and then click Next.
9. In the Restore Mode Password box, type a strong password. In the Confirm
password box, type the password again, and then click Next.
10. Click Next.
11. When the Active Directory Installation Wizard is done, click Finish.
Note
You must restart the computer after you complete this procedure.
Next raise the forest functional level in Active Directory to Windows Server 2003.
Important
Once you raise a functional level in Active Directory, you cannot return it to its
original level.
To raise the forest functional level
1. Log on to DC as CPANDL\ADMINISTRATOR.
2. Click Start, point to Administrative Tools, and then click Active Directory
Domains and Trusts.
3. Right-click Active Directory Domains and Trusts, and then click Raise Forest
Functional Level.
4. Choose Windows Server 2003 from the list box, and then click Raise.
5. Click OK twice.
Next raise the domain functional level in Active Directory to Windows Server 2003.
To raise the domain functional level
1. Click Start, point to Administrative Tools, and then click Active Directory
Domains and Trusts.
2. Right-click CPANDL.COM, and then click Raise Domain Functional Level.
3. Choose Windows Server 2003 from the list box, and then click Raise.
4. Click OK twice.
Next, add the following user accounts: RMSSRVC, RMSADMIN, USER1, and USER2.
To add new user accounts
1. Click Start, point to Administrative Tools, and then click Active Directory
12
Users and Computers. This opens the Active Directory Users and
Computers Microsoft Management Console (MMC) snap-in.
2. In the console tree, expand cpandl.com, right-click Users, point to New, and then
click User.
3. In the New Object – User dialog box, type RMSSRVC in the Full name and
User logon name boxes, and then click Next.
4. In the New Object – User dialog box, type a password of your choice in the
Password and Confirm password boxes. Clear the User must change
password at next logon check box, click Next, and then click Finish.
5. Perform the above steps 1-4 for each of the following users: RMSADMIN,
USER1, and USER2.
Finally, add e-mail addresses to the USER1 and USER2 user accounts.
To add e-mail addresses to user accounts
1. In the Active Directory Users and Computers snap-in, right-click USER1, click
Properties, type [email protected] in the E-mail box, and then click OK.
2. Repeat this step for USER2.
3. Close the Active Directory Users and Computers snap-in.
Configure the computer to be used as the RMS cluster (RMS-SRV)
To configure the member server RMS-SRV so that you can install RMS on it, you must
install Windows Server 2003, configure TCP/IP properties, and then join RMS-SRV to the
domain cpandl.com. You must also add the account RMSADMIN as a member to the
local administrators group. This is needed for RMSADMIN to install RMS on RMS-SRV.
Additionally, there are several prerequisite components that must be installed on the
RMS cluster including Internet Information Services (IIS), ASP.NET, Message Queuing,
and SQL Server 2005 Standard Edition.
First, install Windows Server 2003 as a stand-alone server.
To install Windows Server 2003, Standard Edition
1. Start your computer by using the Windows Server 2003 product CD. (You can
use any edition of Windows Server 2003 except the Web Edition to establish the
domain.)
2. Follow the instructions that appear on your computer screen, and when prompted
for a computer name, type RMS-SRV.
13
Next, configure TCP/IP properties so that RMS-SRV has a static IP address of 10.0.0.2.
In addition, configure the DNS server of DC (10.0.0.1).
To configure TCP/IP Properties
1. Log on to RMS-SRV as RMS-SRV\ADMINISTRATOR.
2. Click Start, point to Control Panel, and point to Network Connections, double-
click Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type
10.0.0.2. In Subnet mask box, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In the Preferred
DNS server box, type 10.0.0.1.
6. Click OK, and then click OK to close the Local Area Connection Properties
dialog box.
Next, join RMS-SRV to the cpandl.com domain.
To join RMS-SRV to the cpandl.com domain
1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR.
2. Click Start, right-click MyComputer, and then click Properties.
3. Click Computer Name tab, click Change.
4. In the Computer Name Changes dialog box, click Domain, and then type
cpandl.com.
5. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
6. Click OK twice.
7. When a Computer Name Changes dialog box appears prompting you for
administrative credentials, provide the credentials, and click OK.
8. When a Computer Name Changes dialog box appears welcoming you to the
cpandl.com domain, click OK.
9. When a Computer Name Changes dialog box appears telling you that the
computer must be restarted, click OK, and click Close.
10. Close the System dialog box.
Finally, add RMSADMIN to the local administrators group on RMS-SRV.
To add RMSADMIN to the local administrators group
1. Click Start, point to Control Panel, point to Administrative Tools, and then
14
click Computer Management.
2. Expand Local Users and Group, and then click Groups.
3. Right-click Administrators, click Add to Group, click Add, and then type
RMSADMIN in the Enter the object names to select (examples) box.
4. Click OK twice and then close Computer Management.
Configure the Office SharePoint Server 2007 server (SPS-SRV)
To configure the Office SharePoint Server 2007 server SPS-SRV, you must install
Windows Server 2003, configure TCP/IP properties, join the computer to the cpandl.com
domain, add the RMS cluster to the Office SharePoint Server 2007 Server's Trusted Sites
Internet Explorer zone, and then install the RMS client application on this server.
To install Windows Server 2003, Standard Edition
1. Start your computer by using the Windows Server 2003 product CD. (You can
use any edition of Windows Server 2003 except the Web Edition to establish the
domain).
2. Follow the instructions that appear on your computer screen, and when prompted
for a computer name, type SPS-SRV.
Next, configure 10.0.0.3 as the IP address for the DNS server.
To configure TCP/IP properties on SPS-SRV
1. Log on to SPS-SRV as CPANDL\ADMINISTRATOR.
2. Click Start, point to Control Panel, point to Network Connections, double-click
Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Select the Use the following IP address option. In the IP address box, type
10.0.0.3. In Subnet mask box, type 255.255.255.0.
5. Select the Use the following DNS server addresses option. In the Preferred
DNS server box, type 10.0.0.1.
6. Click OK, and then click OK to close the Local Area Connection Properties
dialog box. Close the Local Area Connection Status dialog box.
7. Restart the computer for the changes to take effect.
Next, add SPS-SRV to the cpandl.com domain.
15
To join SPS-SRV to the cpandl.com domain
1. Log on to SPS-SRV as CPANDL\ADMINISTRATOR.
2. Click Start, right-click My Computer, and then click Properties.
3. Click Computer Name tab, and then click Change.
4. In the Computer Name Changes dialog box, click Domain, and then type
cpandl.com.
5. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
6. Click OK twice.
7. When a Computer Name Changes dialog box appears prompting you for
administrative credentials, provide the credentials, and then click OK.
8. When a Computer Name Changes dialog box appears welcoming you to the
cpandl.com domain, click OK.
9. When a Computer Name Changes dialog box appears telling you that the
computer must be restarted, click OK.
Next, add the RMS cluster to the Internet Explorer Trusted Sites zone on the Office
SharePoint Server 2007 server so that RMS communication is not interrupted.
To add RMS-SRV to Trusted Sites
1. Log on to SPS-SRV as CPANDL\ADMINISTRATOR.
2. Click Start, point to Control Panel, and then click Internet Options.
3. Click the Security tab, click Trusted Sites, and then click the Sites button.
4. Type http://RMS-SRV, and then click Add.
5. Click Close, and then click OK.
Finally, install the RMS client on Office SharePoint Server 2007 server.
To install the RMS 1.0 with SP2 client
1. Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736. If
you are using a 64-bit version of Windows XP Professional or Windows
Server 2003, download the 64-bit version of the RMS client from
http://go.microsoft.com/fwlink/?LinkId=67935.
2. Double-click WindowsRightsManagementServicesSP2-KB917275-Client-
ENU.exe to start the installation.
3. Click Next.
4. Select the I agree option to accept the End User License Agreement, and then
click Next twice to start the installation.
16
5. Click Close to finish the installation.
Configure the RMS client computer (RMS-CLNT)
To configure RMS-CLNT, you must install Windows XP Professional, configure TCP/IP
properties, join RMS-CLNT to the domain cpandl.com, and then install the RMS client.
You must also install an RMS-enabled application. In this example, you install Microsoft
Office Word 2007 on RMS-CLNT.
To install Windows XP Professional
1. Start your computer using the Windows XP Professional product CD.
2. Follow the instructions that appear on your screen, and when prompted for a
computer name, type RMS-CLNT.
Next, configure TCP/IP properties so that RMS-CLNT has a static IP address of 10.0.0.4.
In addition, configure the DNS server of DC (10.0.0.1).
To configure TCP/IP properties
1. Click Start, click Control Panel, and then double-click Network Connections.
Right-click Local Area Connection, and then click Properties.
2. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
3. Click the Use the following IP address option. In the IP address box, type
10.0.0.4. In Subnet mask box, type 255.255.255.0.
4. Click the Use the following DNS server addresses option. In the Preferred
DNS server box, type 10.0.0.1.
5. Click OK, and then click OK to close the Local Area Connection Properties
dialog box.
6. Restart your computer for the changes to take effect.
Next, join RMS-CLNT to the cpandl.com domain.
To join RMS-CLNT to the cpandl.com domain
1. Log on to DC as CPANDL\ADMINISTRATOR.
2. Click Start, right-click My Computer, and then click Properties.
3. On the Computer Name tab, click Change.
4. In the Computer Name Changes dialog box, click Domain, and then type
cpandl.com.
5. Click More, and in Primary DNS suffix of this computer, type cpandl.com.
17
6. Click OK twice.
7. When a Computer Name Changes dialog box appears prompting you for
administrative credentials, provide the credentials, and then click OK.
8. When a Computer Name Changes dialog box appears welcoming you to the
cpandl.com domain, click OK.
9. When a Computer Name Changes dialog box appears telling you that the
computer must be restarted, click OK.
10. Click OK to close the System Properties dialog box
11. In the System Settings Change dialog box, click Yes.
Next, the RMS client must be downloaded and installed on RMS-CLNT.
To install the RMS 1.0 SP2 client
1. Log on to RMS-CLNT as CPANDL\ADMINISTRATOR.
2. Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736. If
you are using a 64-bit version of Windows XP Professional or Windows
Server 2003, download the 64-bit version of the RMS client
http://go.microsoft.com/fwlink/?LinkId=67935.
3. Double-click WindowsRightsManagementServicesSP2-KB917275-Client-
ENU.exe to start the installation.
4. Click Next.
5. Select the I agree option, and then click Next twice to start the installation.
6. Click Close to finish the installation.
Next, install Microsoft Office Word 2007 Professional.
To install Microsoft Office Word 2007 Professional
1. Click setup.exe on the Microsoft Office 2007 Professional product CD.
2. Click Customize as the installation type, set the installation type to Not
Available for Microsoft Office Access, Microsoft Office Excel, Microsoft Office
InfoPath, Microsoft Office Outlook, Microsoft Office PowerPoint, Microsoft Office
Publisher, and Microsoft Office Visio Viewer, and then click Install Now. This
may take several minutes to complete.
Step 2: Installing and Configuring RMS on RMS-SRV
To install RMS, you must complete the following steps:
Add the Application Server role to RMS-SRV. This will install IIS and ASP.NET.
18
Install Message Queuing
Install SQL Server 2005 Standard Edition
Install the RMS cluster
Configure RMS settings
Register the SCP in Active Directory
Add Application Server role to RMS-SRV
RMS uses IIS and ASP.NET to communicate with the RMS clients. To install IIS and
ASP.NET, you must complete the following steps:
To add the Application Server role
1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR. The Manage Your Server
window appears.
2. Click Add or remove a role.
3. On the Preliminary Steps page of the Configure your Server Wizard, click Next.
4. Click Application Server (IIS, ASP.NET), and then click Next.
5. Select the Enable ASP.NET check box, and then click Next twice.
6. When asked for files from the Windows Server 2003 product CD, insert it into the
CD-ROM drive of the computer.
7. Click Finish to complete the installation.
Install Message Queuing
Message Queuing is used to send information from the RMS cluster to the RMS logging
database and must be installed prior to installing RMS. To install Message Queuing, you
must complete the following steps:
To install Message Queuing
1. Click Start, point to Control Panel, and then click Add or Remove Programs.
2. Click Add/Remove Windows Components.
3. In the Windows Components Wizard dialog box, click Application Server, and
then click the Details button.
4. In the Application Server dialog box, select the Message Queuing check box,
and then click OK.
5. Click Next to start the installation.
6. Click Finish and close the Add or Remove Programs dialog box.
19
Install Microsoft SQL Server 2005 Standard Edition
RMS requires a database used for storing configuration and logging information.
Microsoft SQL Server 2005 Standard Edition is the database that will be used in this
guide. It will be installed on the same computer as the RMS cluster (RMS-SRV). In a
production environment, it is recommended to install the RMS database on a dedicated
computer.
Note
Microsoft SQL Server 2005 Express Edition is also supported as the database
server. However, Microsoft SQL Server 2005 Express Edition is not
recommended for use in production environments because it does not support
adding additional servers to the RMS cluster or the ability to view or modify data
stored in the configuration and logging databases. To download Microsoft SQL
Server 2005 Express Edition, go to http://go.microsoft.com/fwlink/?LinkId=73721.
To install Microsoft SQL Server 2005 Standard Edition, refer to the following steps:
To install Microsoft SQL Server 2005 Standard Edition
1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR.
2. Start the installation from the Microsoft SQL Server 2005 product CD by double-
clicking Setup.exe.
3. Select the I accept the licensing terms and conditions check box, and then
click Next. When the Installing Prerequisites page reports that the required
components were installed successfully, click Next again.
4. When the system configuration check is complete, click Next on the Welcome to
the Microsoft SQL Server Installation Wizard page to start the installation.
5. If you see no errors on the System Configuration Check page, click Next.
6. Complete the Registration Information page, and then click Next.
7. On the Components to Install page, select the SQL Server Database Services
check box, and then click Next.
8. On the Instance Name page, verify that Default Instance is selected and then
click Next.
9. On the Service Account page, select the Use the built-in System account
option, click Next four times, and then click Install. The installation may take
several minutes to complete.
10. On the Setup Progress page, when the installation has completed and the
status of all the products in the list is Setup finished, click Next, and then click
Finish.
20
Install the RMS cluster
Now that all of the prerequisite software has been installed, it is time to install the RMS
cluster. To download RMS, go to http://go.microsoft.com/fwlink/?LinkId=73722. From
RMS-SRV, you should do the following in order to install RMS:
To install the RMS cluster
1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR.
2. Start the installation by double-clicking the installation file that you downloaded
from the Microsoft Web site.
3. Click Next.
4. Read the License Agreement, select the I agree option, and then click Next.
5. Accept the default installation folder, click Next, and then click Install.
6. When the installation completes, click Close.
Configure RMS settings
RMS is provisioned and administered by using a local Web site automatically created
during the RMS installation.
To provision RMS using Global Administration Web site
1. Click Start, point to All Programs, point to Windows RMS, and then click
Windows RMS Administration.
2. Click Provision RMS on this Web site.
3. In the User name box under RMS Service Account, type CPANDL\RMSSRVC,
and then type the password for CPANDL\RMSSRVC in the Password box.
4. In the RMS private key password box under Private key protection and
enrollment, enter a strong password, and then confirm this strong password in
the Enter password again box.
5. Type [email protected] in the Administrative contact box.
6. Under RMS Proxy Settings, clear the This computer uses a proxy server to
connect to the Internet check box.
7. Keep the default values for everything else on this page, and then click Submit.
This might take a few minutes to complete.
21
Register the SCP in Active Directory
The RMS service connection point (SCP) in Active Directory allows RMS clients to
discover the RMS cluster automatically. Active Directory SCP registration is not done
automatically during installation. To register the RMS SCP, you must do the following:
To register RMS SCP in Active Directory
1. Log on to RMS-SRV as CPANDL\ADMINISTRATOR or another Active Directory
user account who is a member of the Enterprise Admins group in the CPANDL
Active Directory domain.
2. Click Start, point to All Programs, point to Windows RMS, and then click
Windows RMS Administration.
3. Click Administer RMS on this Web site.
4. Scroll to the bottom of the page and click RMS service connection point.
5. Click Register URL.
Step 3: Installing and Configuring Office SharePoint Server 2007 on SPS-SRV
To install Office SharePoint Server 2007, you must complete the following steps:
Install Microsoft .NET Framework 2.0
Install Microsoft .NET Framework 3.0
Add the Application Server role to SPS-SRV
Install Office SharePoint Server 2007
Configure Office SharePoint Server 2007 for RMS
Install Microsoft .NET Framework 2.0
The Microsoft .NET Framework 2.0 is required by Office SharePoint Server 2007. To
install the .NET Framework 2.0, you must complete the following steps:
To install Microsoft .NET Framework 2.0
1. Log on to SPS-SRV as CPANDL\ADMINISTRATOR.
2. Download the .NET Framework 2.0 from
http://go.microsoft.com/fwlink/?LinkId=73913.
3. Double-click dotnetfx.exe to start the installation, and then click Run in the
Open File -- Security Warning dialog box.
4. Click Next, select the I accept the terms of the License Agreement option, and
22
then click Install.
5. Click Finish to complete the installation.
Install Microsoft .NET Framework 3.0
Windows Workflow Foundation, required by Office SharePoint Server 2007, has been
integrated into .NET Framework 3.0. To install the .NET Framework 3.0, you must
complete the following steps:
To install .NET Framework 3.0
1. Download Microsoft .NET Framework 3.0 from
http://go.microsoft.com/fwlink/?LinkId=73912.
2. Double-click dotnetfx3setup.exe, and then click Run in the Open File -
Security Warning dialog box.
3. Click the I have read and ACCEPT the terms of the license agreement option,
and then click Install.
4. Click Exit to complete the installation.
Add Application Server role to SPS-SRV
Office SharePoint Server 2007 uses the Application Server role, which contains IIS and
ASP.NET, to host Office SharePoint Server 2007 document libraries. To install the
Application Server role, you must complete the following steps:
To add the Application Server role
1. Click Start, point to All Programs, point to Administrative Tools, and then click
Manage Your Server.
2. On the Preliminary Steps page of the Configure your Server Wizard, click Next.
3. Click Application Server (IIS, ASP.NET), and then click Next.
4. Select the Enable ASP.NET check box, and then click Next twice.
5. When prompted for the CD, insert the Windows Server 2003 product CD into the
CD-ROM drive, and then click OK.
6. Click Finish to complete the installation.
23
Install Office SharePoint Server 2007
Once all of the prerequisite components have been installed, you are ready to start
installing Office SharePoint Server 2007. The following steps are required to install Office
SharePoint Server 2007 server:
To install Office SharePoint Server 2007
1. Double-click setup.exe from the Office SharePoint Server 2007 product CDs.
2. Enter your Product Key, and then click Continue.
3. Select the I accept the terms of the agreement check box, and then click
Continue.
4. Click Basic.
5. After installation has completed, make sure that the Run the SharePoint
Products and Technologies Configuration Wizard now check box is selected,
and then click Close.
6. On the SharePoint Products and Technologies Configuration Wizard dialog
box, click Next. Click Yes on the message that appears. This may take several
minutes to complete.
7. Click Finish to complete the installation.
Note
Before you add users to Office SharePoint Server 2007, configure Office
SharePoint Server 2007 for RMS.
Configure Office SharePoint Server 2007 for RMS
After Office SharePoint Server 2007 has been installed, there are several things that
must be completed to integrate Office SharePoint Server 2007 with RMS:
Add the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer
zone.
Add the Office SharePoint Server 2007 server to the RMS certification pipeline.
Enable Information Rights Management in Office SharePoint Server 2007.
Add USER1 and USER2 to the SharePoint site.
Restrict permissions by using RMS.
First, add the Office SharePoint Server 2007 site to the Internet Explorer Trusted Sites
zone on the Office SharePoint Server 2007 computer.
24
To add SPS-SRV to Trusted Sites
1. Log on to SPS-SRV as CPANDL\ADMINISTRATOR.
2. Click Start, point to Control Panel, and then click Internet Options.
3. Click the Security tab, click Local Intranet, and then click the Sites button.
4. Type http://SPS-SRV, and then click Add.
5. Click Close, and then click OK.
Next, add the Office SharePoint Server 2007 server and RMS Service Group to the RMS
cluster certification pipeline.
Important
By default, the RMS cluster certification pipeline ACL is configured to allow only
the local System account. You must add the permissions in order for Office
SharePoint Server 2007 to integrate with RMS.
To add SPS-SRV to the RMS Certification Pipeline
1. Log on to RMS-SRV as CPANDL\RMSADMIN.
2. Click Start, and then click My Computer.
3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.
4. Right-click ServerCertification.asmx, click Properties, and then click the
Security tab.
5. Click Add.
6. Click Object Types, select the Computers check box, and then click OK.
7. Type SPS-SRV, click OK.
8. Click Add.
9. Click Object Types, select the Groups check box, and then click OK.
10. Type RMS-SRV\RMS Service Group, and then click OK.
11. Click OK to close the ServerCertification.asmx Properties dialog box.
Once the RMS cluster certification pipeline has been opened to allow SPS-SRV to
communicate with it, you must configure Office SharePoint Server 2007 to use the RMS
cluster:
To enable Information Rights Management in Office SharePoint Server 2007
1. Log on to SPS-SRV as CPANDL\ADMINISTRATOR.
2. Click Start, point to Administrative Tools, and then click SharePoint 3.0
Central Administration.
25
3. Click Operations, and then click Information Rights Management.
4. Click Use the default RMS server specified in Active Directory.
5. Click OK.
Next, give USER1 and USER2 access to the RMS SharePoint site so that the Office
SharePoint Server integration with RMS can be verified later in this guide:
To add USER1 and USER2 to the SharePoint site
1. Click Start, point to All Programs, and then click Internet Explorer.
2. Type http://SPS-SRV/ in the address bar, and then click Go. This will open the
default Office SharePoint Server 2007 site that was created during installation.
3. Click Site Actions, point to Site Settings, and then click People and Groups.
4. Click New, and then click Add Users.
5. Type [email protected];[email protected] in the Users/Groups
box, and then click OK.
Create an Office SharePoint Server 2007 permission policy on the default document
library. This permission policy will be used to restrict the ability to print any documents
that are uploaded to the document library:
To restrict permissions using RMS
1. In the same Office SharePoint Server 2007 site, click Home.
2. Click Document Center, click Documents, click Settings, and then click
Document Library Settings.
3. Under the Permissions and Management heading, click Information Rights
Management.
4. Select the Restrict permission to documents in this library on download
check box.
5. Type CPANDL Protected in the Permissions policy title box.
6. Type Restrict CPANDL employees from printing in the Permission policy
description box.
7. Click OK.
Note
In addition to the permissions policy, Office SharePoint Server 2007 will also
automatically apply RMS rights to the document when it is downloaded from the
Office SharePoint Server 2007 site. These rights are determined by the Office
SharePoint Server 2007 group membership for that site. For example, a user
26
who is in the Visitors Office SharePoint Server 2007 group will not be able to
modify the document when it is downloaded from the Office SharePoint
Server 2007 site.
Step 4: Verifying RMS Functionality on RMS-CLNT
To verify the functionality of the RMS deployment, you log on as USER1, create a new
Microsoft Word 2007 document, and upload it to the Office SharePoint Server 2007 site
so that users who download the document will not be able to print it. You then log on as
USER2, download the document from the Office SharePoint Server 2007 site and verify
that the ability to print the document has been restricted.
To create and upload a Microsoft Word document for testing
1. Log on to RMS-CLNT as USER1.
Note
Since USER1 is the author of this document, USER1 will have full rights
to the document, regardless of the RMS rights that are applied to it.
2. Click Start, point to All Programs, point to Microsoft Office, and then click
Microsoft Office Word 2007.
3. Type This document is read-only. You cannot print it. in the new document,
click the Microsoft Office Button, click Save As, and then save the file as RMS-
TST.docx.
4. Close Microsoft Office Word 2007.
5. Click Start, point to All Programs, and then click Internet Explorer.
6. Type http://SPS-SRV/ in the address bar, and then click Go.
7. Click Document Center, and then click Documents.
8. Click Upload, and then click Upload Document.
9. Click Browse, click RMS-TST.docx, and then click Open.
10. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the
restrictions set on the library.
11. Log off as USER1.
Finally, log on as USER2 and open the document from the Office SharePoint
Server 2007 site.
27
To open a protected document
1. Log on to RMS-CLNT as USER2.
2. Click Start, click All Programs, and then click Internet Explorer.
3. Type http://SPS-SRV/ in the address bar, and then click Go.
4. Click Document Center, and then click Documents.
5. Click RMS-TST, and then click OK to open the document as Read Only.
6. The following message will appear: "Permission to this document is currently
restricted. Microsoft Office must connect to http://rms-srv/_wmcs/licensing
to verify your credentials and download your permission."
7. Click OK.
8. The following message will appear: "Verifying your credentials for opening
content with restricted permissions".
9. The Print button in the toolbar is disabled.
You have successfully deployed, integrated, and demonstrated the functionality of RMS
and Office SharePoint Server 2007, using the simple scenario of uploading a Microsoft
Office Word 2007 document to an Office SharePoint Server 2007 site. You can also use
this deployment to explore some of the additional capabilities of RMS through additional
configuration and testing.